You are viewing a single thread.
View all comments
379 points

What is he talking about, public WiFi can easily poison and monitor your DNS requests (most people don’t know or use encrypted DNS), and there’s still tons of non-https traffic leaks all over the place that are plain text. Even if encrypted, there’s still deep packet inspection. VPNs can mitigate DPI techniques and shift the trust from an easily snoopable public WiFi to the VPN’s more trustworthy exit servers.

This guy really needs to elaborate on what he’s trying to say when the cyber security field very much disagrees with this stance. I’m not a huge fan of Proton, but they aren’t doing anything wrong here. You should use it for public Wi-Fi.

permalink
report
reply
32 points

Dpi only works if they install a cert on your phone. Else they can’t crack it (in real time) or you would receive HTTPS errors

permalink
report
parent
reply
4 points

You dont need to examine the contents of http traffic to do what many services call DPI.

you can still read unencrypted traffic, like most DNS. Or even without that, you can frequently tell from the endpoint IP who someone is talking to, and what types of applications from port numbers used. Etc.

If you’re torrenting, for example, that’s pretty easy to see.

permalink
report
parent
reply
4 points

Still not DPI. Regardless of what other manufacturers or devs call it.
At best it’s a network monitor. Literally pihole can give you most of those stats as well.

permalink
report
parent
reply
1 point
Deleted by creator
permalink
report
parent
reply
-8 points

most people don’t know or use encrypted DNS

But a cybersecurity expert does. That’s the point. If you know those things, VPNs become obsolete, for most people. So why not teach people about it, instead of promoting VPNs?

And can you really trust an extremely profit focused company, that is built on user data, more than your local Café? If you’re in China, sure, use a VPN, they’re the lesser evil. But most spots don’t have the resources or expertise to analyze and sell or otherwise misuse your logs. VPN companies not only do, most rely on it.

If you’re a highly targeted person, it’s another story, but in that case your only hope is Tor or a new identity.

permalink
report
parent
reply
1 point

I’ve never really understood that argument. Most VPN software I’ve seen forces your DNS through the VPN as well which would bypass a public Wi-Fi’s attempt to DNS poison.

I use a VPN anytime I’m not on my home network just because it’s a super easy way for me to force my DNS to my own custom DNS with Adblock listing on the machine that’s running the VPN endpoint.

It’s wireguard, and it connects to a direct IP address. If someone tries to redirect or otherwise man in the middle of the connection wireguard will simply fail to establish a connection. Thanks to the fact that it uses a similar idea to pgp where the client and server already have each other’s public keys and there’s not really an unencrypted initial handshake even the initial talking has a form of encrypted communication thanks to the key pairings.

So like, my vpn is definitely proving security. Whether or not every random ass VPN you can buy is smart enough to force all DNS over the VPN or anything else I guess I can’t say for sure maybe it’s not common and that’s why but it definitely can be used to help automate some security measures when using a public network

permalink
report
parent
reply
12 points

Encrypted DNS doesn’t solve everything. Handshake for TLS sessions is still in clear, you can usually see the SNI, and since we are talking about Wireless, usually this data is available to anybody who is in the vicinity, not just the network owner. This already means that you can see what sites someone is visiting, more or less. TLS 1.3 can mitigate some of this (for those who implement ESNI, but you don’t know that beforehand). Also TLS works until the user is not accepting invalid certificates prompts (HSTS doesn’t work for everything) and there are still tons of HTTP-based redirect (check mailing newsletters and see how many first send you to an HTTP site, for example) that can be used for MiTM attacks.

A VPN moves the trust to a single provider that you can choose, which is much better than trusting every single WiFi network you can attach to and the people connected to it, I would say.

Also if you pay for the VPN (I pay Proton), it’s not true that the company business is based on user data, they are based on subscriptions.

permalink
report
parent
reply
5 points

Lmao, we’re not worried about the cafe. We’re worried about the man in the middle. And yeah with enough tech knowledge you can set up an encrypted tunnel home and use your normal connection from there. But most people aren’t that tech savvy

permalink
report
parent
reply
0 points

If you’re not relatively tech savy, a typical VPN IS the man in the middle. That’s the problem. A VPN, in itself, is very good. But as you said, non-tech savy users won’t be able to set up a VPN themselves, so they need to trust a company to route all their traffic, be their DNS server, not log anything, not be hacked and not give any data to current or future totalitarian governments. Not even I could recommend any VPN company that fulfills enough points there, especially the security related ones.

permalink
report
parent
reply
5 points

But most spots don’t have the resources or expertise to analyze and sell or otherwise misuse your logs.

Most spots don’t have also the resources or expertise to secure their own spot. As I remember, cheap routers used in public places may contain a lot of vulnerabilities.

encrypted DNS

Will it help me if I’m using LbreTorrent do download piracy content on my phone? Or how it would help me to hide my location from mobile apps that extract location from IP?

permalink
report
parent
reply
0 points

No. That’s a whole different use case. We’re discussing what most people in a public network should do. Some people, such as whistleblowers, journalists etc. maybe should use a VPN. For you grandparents, it would be pure snake oil. And even as such an endangered person, choosing the wrong, so almost all, VPNs would be even more dangerous.

For your problems, a VPN could be useful, even though for the former I would use the usenet or soap2day-like sites, which do not have you seed that content. If you still want to share it, then use a VPN. ONLY for the torrent process, not for anything else, as that would still be bad for privacy and security, as the VPN company could, and most WILL, surveil and log you. And for the latter problem, don’t use such apps except in closed environments or without internet access.

permalink
report
parent
reply
25 points

Proton is a non profit.

permalink
report
parent
reply
13 points
*

But Proton Bad? I don’t understand. The armchair security nerds on Lemmy want me to hate something.

permalink
report
parent
reply
17 points
*

So why not teach people about it, instead of promoting VPNs?

Ok then, in the meantime the rest of us will use a fucking VPN? I don’t know what “encrypted DNS” means, and I’m 99% you’re going to respond with either “whaaaaat you don’t know something that 99.999% of other people also don’t know? Clearly you are too dumb for the internet” or else “oh sure I’d be glad to explain that! It’s real simple, see when you have a Rosendin gembal, it befrazzles the gesticulators of your brangles (link to a Wikipedia article on brangles). So you just have to re-delineate the scanditrons to break the tensor lines in your scintrins! You can code a fairly simple app from scratch to do it, and there’s a FOSS program someone made to help you identify the cabangs in your computer’s lenticles: (link to a github page that is literally just a transcription of an eldritch god screaming in binary)”

VPNs are extremely user friendly and they are happy to explain in layman’s terms exactly what they do and how they work. If there’s a better way, it’s locked behind years of techie knowledge.

permalink
report
parent
reply
0 points

And most users don’t know what a VPN is. In both cases, they’re not gonna learn anything about it. Except you need to pay for a VPN, after figuring out which one is kinda trustworthy instead of snakeoil, while encrypted DNS is a simple setting on any OS. Nothing more. You don’t need whole articles to explain what your product does and why you respect privacy and blah, while not saying a single word that’s true. It’s a simple setting. VPNs are not only user friendly, they’re a full ripoff for most people and snakeoil. They don’t explain what they do in “laymans terms”, most of them just blatantly lie. Anything for the cash. If you want an explanation of encrypted DNS:

A DNS is kind of like your GPS. It translates an address into something more usable, e.g… like your GPS translates ‘123 Baker Street, Washington’ into coordinates, so you can use it on a map, for example. A DNS does the same, but for the internet: It translates “google.de” into a format that is actually readable and usable to the computer. However, to translate “google.de” you need to reach out to someone else, that knows the address. The thing is, if someone just pretends to give the right answer, but in fact gives you their own address, you may end up at the wrong website, or in the GPS example, at the wrong house. So instead of visiting your actual bank’s website, you’re going to visit someone else’s website, which looks basically the same, except once you log into your bank account the attacker can read that and steal all your money. In the GPS example, you would now be at the slaughterhouse instead of Disneyland. An encrypted DNS just means that you specify exactly whom you will trust, for example google, and that you want your communication with google to be encrypted, so no one can even read which website you want to visit.

If someone doesn’t understand this, they wouldn’t understand what a VPN is, even broken down to bare concepts. So for those people: It makes you safe just trust me just set this setting, no app, no account, no money required. Because that’s the level a typical VPN company argues on.

permalink
report
parent
reply
4 points

People can’t learn not to throw trash in the street, climate change that is backed by decades of science is a problem, or hell, they can’t even learn to effectively not click on super suspicious phishing links.

How on earth are they going to learn about implementing encrypted DNS when most barely know the difference between a browser and a computer.

permalink
report
parent
reply
1 point

99.9% of people don’t throw trash in the street.

At least in most countries.

permalink
report
parent
reply
1 point

Then they won’t know what a VPN is either.

permalink
report
parent
reply
28 points

Yeah, while it is true, lots of VPN companies are grifts just buying VPS’s and installing OpenVPN, this “Cyber security expert” puts far too much faith in HTTPS and probably never seen a lecture from the Black Hat conference

permalink
report
parent
reply
4 points

Many VPNs using OpenVPN is…fine.

The value adding is the VPN infrastructure they’re providing. You can’t just install the standard OpenVPN client and expect it to DO anything without some kind of service.

True on the HTTPS thing.

permalink
report
parent
reply
10 points

probably never seen a lecture from the Black Hat conference

Not defending Robert Graham because I’m also eyebrow raising his statement. And while you may be 100% correct that he never actually stayed to listen to a lecture, he absolutely spoke at a lot of them since 2000.

https://infocondb.org/presenter/robert-graham

permalink
report
parent
reply
12 points

My bad for judging without checking 😔

permalink
report
parent
reply
8 points

I’m not even an expert in this stuff, but with a tool I found online I demonstrated that it was easy to snoop people’s passwords on my school’s wifi networks back in the day. It took minutes.

permalink
report
parent
reply
22 points

That must’ve been quite a while ago

permalink
report
parent
reply
-5 points

I mean, yes, I’m in my 40s, but it’s just as effective today.

permalink
report
parent
reply
71 points
*

Yup. You can grab any unencrypted data passed between the user’s browser and a server literally out of thin air when they’re connected to an open access point. You sit happily at the Starbucks with your laptop, sniffing them WiFi packets and grabbing things off of them.

Oh and you have no idea what the myriad of apps you’re using are connecting to and whether that endpoint is encrypted. Do not underestimate the ability of firms to produce software at the absolute lowest cost with corners and walls missing.

If I was someone who was to make money off of scamming people, one thing I’d have tried to do is to rig portable sniffers at public locations with large foot traffic and open WiFi like train stations, airports, etc. Throw em around then filter for interesting stuff. Oh here’s some personal info. Oh there’s a session token for some app. Let me see what else I can get from that app for that person.

permalink
report
parent
reply
6 points

Also, any unlatched, unfirewalled vulnerabilities you have are immediately available to anyone on that local WiFi network. One thing VPNs may do is cause you to ignore requests from systems on the local network, which helps.

permalink
report
parent
reply
3 points

That’s an interesting one. I know it depends on configuration, but in the run-of-the-mill case, does connecting through VPN stop local services to listen on local IPs? I know our corpo VPN kills local LAN access but I’m curious what the default for OpenVPN/Wireguard might be.

permalink
report
parent
reply
8 points
*

We need a switch like Firefox has that disallows anything non-HTTPS, but from the phone level. Companies like Apple and Google could also eventually warn apps that they’re going to make it the default setting.

permalink
report
parent
reply
7 points

Apps don’t use the system browser to connect to REST endpoints. Neither do they use the OS. Apps typically use a statically linked library. There are use cases for HTTP-only connections so it’s unlikely that those libraries would mess with forcing or even warning its users that they’ve used HTTP instead of HTTPS. Point is Google and Apple can do little in this regard. Unless they scan apps’ source code which could be possible to some extent but still difficult because URLs are often written in pieces.

permalink
report
parent
reply
25 points

Just FYI https://shop.hak5.org/products/wifi-pineapple. There are ready-made devices that can do basically what you are describing!

permalink
report
parent
reply
7 points
*

Oh nice. Just gotta dress em up like Unifi or Aruba then stick em up on the ceiling.

permalink
report
parent
reply
43 points
*

How is DPI a problem if it’s encrypted? That would only work if the attacker had installed their CA cert on your client machine, right?

permalink
report
parent
reply
12 points
*

I think it might be confusion between inspecting plaintext metadata like SNI vs actually inspecting encrypted contents (e.g. HTTPS content, headers, etc.).

permalink
report
parent
reply
9 points

Yeah, deep packet inspection really doesn’t work without breaking https security via man in the middling everything.

permalink
report
parent
reply
48 points

I’m doing DPI on my own network and I can still view TLS certificate fingerprints and some metadata that provides a good educated guess as to what a traffic flow contains. It certainly better that it’s encrypted, but there is a little information that leaks in metadata. I think that’s what was meant.

permalink
report
parent
reply
30 points
*

True, but this is generally not useful information to anyone. They can see you’re visiting bank.com, but they still can’t see your bank details.

It might be useful if they’re trying to target you for phishing, but a targeted attack is extremely unlikely.

Also, any wireless equipment from the past 15 years or so supports client isolation.

permalink
report
parent
reply

Technology

!technology@lemmy.world

Create post

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


Community stats

  • 15K

    Monthly active users

  • 6.7K

    Posts

  • 152K

    Comments